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DATABASE ACCESS METHOD AND SYSTEM 
FOR USER ROLE DEFINED ACCESS 

FIELD OF THE INVENTION 

5 

The invention relates to determination and granting of access to data and files by the 
file or database creator, owner or manager or by group or user access profiles. 

BACKGROUND 

Current database management applications and especially the access subsystems 
10 thereof support what could be called a "Single Organization Model". This means that 
all users of a system, even though they may work in various divisions of a company or 
various channels of a marketing organization, or even different entities leasing portions 
of the same database through a common vendor or service organization, are deemed to 
ultimately work for the same organization, and that organization is at the root of the 
1 5 organizational hierarchy. 

Present access control mechanisms, built on the "Single Organization Model," are 
cumbersome when applied to multi-divisional or multi-channel organizations or to 
multi-tenant databases. This is because present access authorization systems are 
adapted to: (1) partition data to show users only those records that they or their position 

20 have been granted visibility to, and (2) show users all "global" data in a particular 
dataset. However, absent cumbersome "work arounds" present access authorization 
subsystems do not have the ability to partition data at the organizational or channel 
level. This makes it impossible, for instance, for companies using the "e-channel 
marketing" paradigm that do business in multiple countries in Europe to maintain 

25 separate price lists for each country and have only those price lists that are appropriate 
for a region or country be accessible. This cumbersome access control also makes it 
difficult for multiple small financial service organizations to outsource database and 
telephone support operations to a common vendor while preserving customer 
confidentiality. 
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SUMMARY 

The invention is a database management system and a method of using the system. The 
system has an access control subsystem, and is characterized by a plurality of user 
entries representing users seeking access to data items, where each of the user entries 
5 has at least one organizational access attribute. The data stored in the underlying 

database has a plurality of data items. Each of the data items may be a data file, a data 
field within a data file, or a view of a data items. Selected ones of the data items have 
at least one organizational access attribute. This organization attribute is used by the 
access control subsystem. The access control subsystem receives a database query 
1 0 from a user requesting access to one or more of the data items. The access control 
subsystem reads the user's organizational access attributes, and reads the data item's 
organizational access attributes. The access control subsystem then presents data items 
to the user to which the user has access authorization. 

i 

In one embodiment of the invention, particularly useful in channel marketing and in 
15 multi-divisional enterprises, the database files have a plurality of fields, and the users 
have personal, positional, and organizational attributes, and are divisible into multiple 
membership sets based upon organizational attributes. The database views are visible 
to users based upon the personal, positional, and organizational attributes of the users. 

The data files and fields may extend across organizations, or they maybe disjoint, 
20 extending to only one organization. Likewise, the users may be in overlapping 
organizations, or in only one organization. 

According to this embodiment of the invention, the views visible to a user are 
determined by the user's organizational and positional attributes, and the view files are 
determined by a user's organizational and/or positional attributes. In a still further 
25 embodiment, the view files are determined by a user's organizational attributes, and 
view fields are determined by a user's positional attributes. 

In an alternative embodiment of the invention a plurality of organizations exclusively 
own individual data files in the database management system. An individual data file 
has a single owner. The access control subsystem is configured to authorize a customer 
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of the owner organization to have access to their own data items and to grant access to 
their own data items to an additional user, for example, a telephone service 
representative, while the customer accesses the data items. The customer can authorize 
the additional user to access and update the data item. 

5 In this embodiment, the database system may be regarded as a partitionable database 
with a plurality of separate virtual databases. Each of the separate virtual databases 
may have a unique database owner, and a user can only access files in a virtual 
database to which the user has access authorization from the database owner. 

The separate virtual databases may be disjoint, for example with common ownership or 
1 0 separate and unique owners. Access may depend upon authorization from the database 
owner to access either the database or a file within the database, and where the user 
requesting access is not the owner of the file, access may require authorization from the 
owner of the file. This situation typically occurs in a multi-tenant database having a 
plurality of tenants, where each tenant is the owner of a separate virtual database, and at 
1 5 least two of the tenants utilize a common call center service, as is the case with a large 
financial institution servicing the customer accounts of other financial institutions. 

THE FIGURES 

The method and system of the invention are illustrated in the FIGURES. 

FIGURE 1 represents a simplified, high level view of the schema of a database of the 
20 "multi-organization support" method and system of the invention. 

FIGURE 2 represents a simplified, high level view of the schema of a database of the 
"multi-tenancy support" method and system of the invention. 

OVERVIEW 

This invention relates to database access and more particularly to methods and systems 
25 for controlling database access through an access authorization subsystem of the 

database management system. The access authorization subsystem utilizes user and 
data attributes that have utility beyond database access or visibility; the access 
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authorization subsystem filtering, screening, and querying these attributes to determine 
access or visibility of a user to a data item. The ability to dynamically support database 
access based upon the instantaneous role of the user at the time of access, that is, in real 
time, requires a user role defined access authorization subsystem such as the "Multiple 
5 Organization Model," having a schema as shown at a very high level in FIGURE 1, or 
"Multi-Tenant Model," having a schema as shown at a very high level in FIGURE 2. 

The concept of the "multiple organization model" or "multi-organizational" support is 
especially important to e-channel marketing. The driving force behind e-channel 
marketing is that multiple channel partners share a common database, including 
10 business objects and tools, with the main company. Each of the channel partners 
should only see data that is relevant to their own organization. This means that they 
would not see data for other channel partners or non-global data from the parent 
organization. 

Similarly, the concept of the "Multi-Tenant Model" or "Multi-Tenant Support" is 
15 especially important to small financial service providers, retailers, and the like. This is 
because multi-tenant support enables these businesses to out source, for example, their 
credit card operations to a service agency or large financial services organization, with 
the telephone support staff member of the large financial services organization having 
gaining real time access to the individual account being serviced during the service call. 

20 DETAILED DESCRIPTION 

This invention relates to database access where a user's access rights to specific data 
items are defined dynamically, that is, in real time, based upon the user's status at the 
time of access request, and data and user attributes having independent utility and 
significance apart from access and visibility. Colloquially, the user has one set of 
25 access authorizations while wearing a red hat and another set of access authorizations 
while wearing a blue hat. The hats could represent roles as a telephone service 
representative for multiple credit card issuers sharing a multi-tenant, vendored, 
database, or roles as a marketing representative of a company in first and second 
regions. 
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The database access system and method of the invention utilizes a division of the data 
"owners" either (1) hierarchically, that is vertically, with horizontal divisions in 
branches, or (2) horizontally, that is, separate virtual databases. The database itself is 
divided into files, the files are divided into records within the files, and individual 
5 records are divided into fields. In either mode of division, the (schema and metadata 
data needed and would be sophisticated), and user access is based upon user's 
relationship to one or more owners in the hierarchy, (for example, owners could be 
» independent lessees of database capacity or divisions in a multi-divisional enterprise). 

The method and system of the invention builds upon partitionability of the individual 
10 database files in the database based upon an attribute of ownership and/or control. For 
example, in the multi-tenancy model, the database might be partitionable into separate 
and distinct individual virtual databases, as in the case of financial services 
organizations, for example competing financial services organizations, vendoring 
database capacity, database management services, and telephone support services for a 
15 service provider. By way of contrast, in the multi-organization support model, the 

database's parent organizational owner is hierarchically and organizationally divisible, 
for example into divisions, departments, and offices, where each branch point may be a 
hierarchical level and each branch may be a functional owner of a portion of the 
enterprise database. 

20 In both embodiments user access is triggered by a "need to know" or "convenient to 
know." In the multi-tenancy embodiment, the access is typically triggered by an 
incoming call to a vendored call center, and the view is the customer's computer 
telephony integration (CTI)-identified account number. Similarly, in the multi- 
organization support embodiment, the access is triggered end user action, and the 

25 specific view is triggered by the end-user's logon, that is, which division or channel or 
reporting chain is used for this task. 

Multi Organization Support 

In a large organization where the same products and/or services are rendered through 
different employees and/or rendered to different customers, or where some goods, 
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services, or customer sets are prohibited to some employees or organizations and 
permitted to others (for example, sale of encryption equipment or code to the PRC, or 
the sale with English only labeling/instructions in Quebec), and the product set is too 
large and/or unwieldy to maintain separate databases, there is a definite productivity 
5 advantage to organizationally limiting access so that the marketing representative is not 
inundated with "useless" information. This is accomplished by assigning access 
authorization organizationally, including regionally. This way, when a sales or service 
rep or a channel partner enters a "MYLIST" command, he or she is only presented with 
a virtual database of the products and/or services that he or she can actually render. 
10 This is the "single database — multiple independent users" embodiment, also referred to 
as the "multi-organization support" method and system. 

FIGURE 1 is a very high level view of the database schema of a "multi-organization 
support" model. The schema, 1, has, for purposes of illustration, five fields in each 
record. These fields are the Sales Rep, 11, the Division, 13, the Profit Center (within 

1 5 the Division, 13), 1 5, the customer 17, and the sales to that customer in the year 2000, 
19. Sales Representative Patterson, 21, is in the Microelectronics Division 21A, 21B, 
and sells in two profit centers of the division, cards, and chips. Hennessey, 23 is in only 
one Division, the Server Division, 23 A, and sells the goods of only one profit center, 
RISC 6000. Also in the Server Division, 25B, is Streetman, 25, who only sells the 

20 product of one profit center, the AS400 profit center. Sales Representative Sze, 27, is 
also in the Server Division, here 27A, and only sells the products of one profit center, 
the ENT 9000 profit center. 

The multi-organization support utilizes new types of visibility attributes called 
"organization" and "organization team" visibility. In the multi-organization support 

25 method and system of the invention, the records that a user sees with "organization" 

and "organization team" visibility are restricted based upon the organization(s) that the 
user has been given visibility into, while the ones the end user sees with "position" and 
"position team" visibility are restricted based upon the user's current position. While 
there may be some overlap between "organization" attributes and "position" attributes, 

30 they may confer different rights. For example, "organization" attributes may only 

confer "read" authorization, while "position" attributes may confer "read," "write", and 
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"delete" authorization. The "organization" and "organization team" visibility is used in 
a series of "My Organization's" views that show all of the data that the user's 
organization has been granted visibility to. In this way, multiple organizations can 
share the same database but see a partitioned set of data that is pertinent to them. It is 
5 also to be understood, that there may be inheritance of access up and down and across a 
hierarchy. 

One access attribute specifies the visibility attributes of the higher level organization, 
for example a division. This means that the number of distinct organizational partitions 
will be relatively small compared to the overall number of divisions in the hierarchy. 
10 Also, organizational partitions should be relatively high in the hierarchy. Therefore, 
most of the lower level entities in a large enterprise, for example a domestic marketing 
division of a large international enterprise may reference the US division as their 
visibility organization. This would enable all people who work for any of those lower 
level product or marketing organizations to see the same partition of data. 

1 5 The relationship between divisions and positions is normally a 1 -to-many relationship, 
although the system and method of our invention can support a many-to-many 
relationship. That is, a position belongs to exactly one division. If a user needs to have 
access to data in multiple organizations, then the user would be required to have 
positions in the appropriate organizations, or, in an alternative embodiment of our 

20 invention, to have personal or positional access to the data separate and apart from but 
in addition to his or her organizational access to the data. This could be done by having 
positions specifically for granting visibility to users outside of the organization. 

Single organization ownership is added to an entity by adding a foreign key to the 
owning organization and configuring the business component appropriately. 
25 Organization teams are added to an entity by adding an intersection table between that 
entity and organization and a foreign key to the primary owning organization, and 
configuring the business component appropriately. 

During login, while the system is collecting information about the positions a user is 
associated with, the system looks at the user's division or divisions and collects the set 
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of organizations those divisions have visibility into. If a user has n positions, that is, n 
positional attributes, the user will have between 1 and n organizations for visibility. 

The organization and organization team visibility's are used for "My Organization's" 
views to show the user all of the records for the entity where the user's "current" 
5 organization is either the owner, or on the organization team. The user's "current" 
organization will be the visibility organization assigned to the division of the user's 
current position. When a user changes current position, the current organization will be 
changed automatically. 

Channel Partners may be administered by creating a division node or hierarchy as the 
10 visibility organization in the appropriate table. All sub-organizations for that channel 
partner should specify the root channel partner division node as the visibility 
organization. Similarly, the Pick Lists and association lists for entities that are "multi- 
org'd" will show the appropriate organization specific data. 

Channel partners may either assign access authorization to their own users or request 
15 the database owner to assign access authorization. 

Multi Tenancy Support 

An alternative embodiment of our invention is the "multiple tenancy" model described 
with respect to CTI applications. This embodiment solves problems associated with the 
situation of a plurality of merchants and/or financial services organization vendoring 

20 out their telephone service and data processing operations to a common vendor. The 
common vendor stores the merchants' and institutions' customer accounts in an access 
controlled database while also providing customer telephone support service for the 
customer accounts. That is, the CTI (computer-telephony integration) automatically 
switches the agent to the correct slice (that is, customer files) of the database. Access 

25 to a customer account is authorized in real time during the individual telephone support 
session with the customer. During the individual customer support session, the 
telephone support representative has access to the individual merchant's or financial 
institution's business objects, queries, and views, as well as those of the database 
service provider. 
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FIGURE 2 shows a very high level view of the "multi-Tenant" database schema, 1 . 
This schema shows three banks in the Bank column 31, CITI 43 , MBNA, 45, and 
BankOne, 45. In the customer column, 33, each bank is shown with only two 
5 customers, McCabe 43A and Smith 43B for CITI, 43, Van Ness 45 A and Bird, 45B for 
MBNA, 45, and Stewart, 47 A, and Lightfoot, 47B, for BankOne 47. Each customer has 
an account number, shown in column 35, and space for the last three transactions, 
shown in columns 37, 39, and 41. In operation, if VanNess were to call the Vendor's 
support center on the appropriate access number, and properly enter the account 
10 number shown for VanNess in column 35, line 45, VanNess's account would come up 
on the CTI operator's screen, and both VanNess and the CTI operator would have 
access to account information. 

To be noted is that when a caller calls in to an outsourcing call center or multi-tenancy 
call center, the gets switched to the slice of the database for that tenant (for example, 
15 the slice of the database assigned to their financial service provider) not just the 
particular file for that particular caller or customer. This is important because in this 
way the customer can access information about Products, Price Lists, Service Requests 
and Sevices of the tenant that is being provided by the tenant, either directly or through 
outsourcing. 

20 

While the invention has been described with respect to certain preferred embodiments 
and exemplifications, it is not intended to limit the scope of the invention thereby, but 
solely by the claims appended hereto. 
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We claim: 

1 . A database management system having an access control subsystem, said 
database management system comprising: 

a) a plurality of user entries representing users seeking access to data items, 
5 each of said user entries having at least one organizational access attribute; and 

b) a plurality of data items, each of said data items being a data file, a data 
field within a data file, or a view of data items, and selected ones of said data 
items have at least one organizational access attribute; 

said access control subsystem being configured to: 

10 a) receive a database query from a user requesting one or more data items; 

b) read the user's organizational access attributes; 

c) read the data item's organizational access attributes; and 

d) present data items to the user to which the user, based on the user's 
access attributes, has access. 

15 2. The database management system of claim 1 in which access is granted to the 
user by determining whether the user's organizational access attributes and the data 
item's organizational attributes include a match. 

3. The database management system of claim 1 wherein a plurality of 
organizations exclusively own individual data files in the database management system, 

20 whereby an individual data file has a single owner. 

4. The database management system of claim 3 wherein said access control 
subsystem is configured to authorize a customer of an owner organization having 
access to a data item to grant access to the data item to an additional user while the 
customer accesses the data item. 



10 



WO 01/077787 



PCT/US01/40405 



5. The database management system of claim 4 wherein said access control 
subsystem is configured to authorize the customer of the owner organization to access 
the data item and to thereafter authorize the additional user to access and update the 
data item. 

5 6. The database management system of claim 1 wherein said organizational access 
attributes are configured hierarchically, such that each organizational access attribute 
has a hierarchical level and a hierarchical branch, and each user access attribute has a 
hierarchical level and a hierarchical branch, and said access control subsystem is 
configured to grant access based on one or both of (a) the hierarchical levels of the user 
10 and data item, or (b) the hierarchical branch of the user and data item. 

7. The database management system of claim 6 wherein said hierarchical levels 
correspond to ranges of organizations, and to data items identified thereto. 

8. The database management system of claim 7 wherein the data items are chosen 
from the group consisting of data fields, data files, and views. 

15 9. The database management system of claim 6 wherein said hierarchical branches 
correspond to virtual or real organizations and data items identified thereto. 

10. The database management system of claim 9 wherein said data items are chosen 
from the group consisting of data files and views. 

1 1 . The database management system of claim 6 wherein hierarchical levels 
20 correspond to access to data fields and data views, and hierarchical branches 

correspond to access to data files and data views. 

12. A method of managing a database having: 

a) a plurality of user entries representing users seeking access to data items, 
each of said user entries having at least one organizational access attribute; and 

25 b) a plurality of data items, each of said data items being a data file, a data 

field within a data file, or a view of data items, and selected ones of said data 
items have at least one organizational access attribute; 
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said method comprising: 



a) 



receiving a database query from a user requesting one or more data 



items; 



b) 



reading the user's organizational access attributes; 



5 



reading the data item's organizational access attributes; and 



d) presenting data items to the user to which the user based on the user's 
access attributes has access. 

13. The method of claim 12 comprising determining whether the user's 
organizational access attributes and the data item's organizational access attributes 

10 include a match, and if so, granting access. 

14. The method of claim 12 wherein a plurality of organizations exclusively own 
individual data files in the database management system, and an individual data file has 
a single owner. 

15. The method of claim 14 comprising a customer of an owner organization having 
1 5 access to a data item granting access to the data item to an additional user while the 

customer is accessing the data item. 

16. The method of claim 1 5 comprising the customer of the owner organization 
accessing the data item and to thereafter authorize the additional user to access and 
update the data item. 

20 17. The method of claim 12 wherein said organizational access attributes are 
configured hierarchically, such that each organizational access attribute has a 
hierarchical level and a hierarchical branch, and each user access attribute has a 
hierarchical level and a hierarchical branch, said method comprising granting access 
based on one or both of (a) the hierarchical levels of the user and data item, or (b) the 

25 hierarchical branch of the user and data item. 
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18. The method of claim 17 wherein said hierarchical levels correspond to ranges of 
organizations, and to data items identified thereto. 

19. The method of claim 1 8 wherein the data items are chosen from the group 
consisting of data fields, data files, and views. 

5 20. The method of claim 1 7 wherein said hierarchical branches correspond to 
virtual or real organizations and data items identified thereto. 

21 . The method of claim 20 wherein said data items are chosen from the group 
consisting of data files and views. 

22. The method of claim 17 wherein hierarchical levels correspond to access to data 
10 fields and data views, and hierarchical branches correspond to access to data files and 

data views. 

23. A method of managing a database system having a plurality of files, said files 
having a plurality of fields, said database being divisible into multiple sets of file and 
field entries having views visible to users having personal, positional, or organizational 

15 attributes associated with the said views, said users being divisible into multiple 
membership sets based upon organizational attributes, which method comprises: 

(a) determining the personal, positional, and organizational attributes of 
users; and 

(b) when a users queries the database: 

20 (i) accessing files and fields within the database to which the user 

has access based upon the user's attributes; and 

(ii) presenting a view to which the user has access based upon the 
user's attributes. 

24. The method of claim 23 comprising determining access to files based upon one 
25 attribute and determining access to fields based upon another attribute. 
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25. The method of claim 23 comprising determining access to files based upon a 
first organizational attribute and determining access to fields within the files based 
upon one of a personal attribute or a second organizational attribute. 

26. The method of claim 23 comprising determining access to a file based upon an 
5 attribute and to at least one field in the file based upon the same attribute. 

27. The method of claim 26 comprising determining access to a file based upon an 
organizational attribute and to at least one field in the file based upon the same 
organizational attribute. 

28. The method of claim 25 wherein one of said users is an internal user having 
10 access to first portions of a view, and wherein another one of said users is an external 

user having access to second portions of the view. 

29. The method of claim 28 wherein said first and second portions of the view are 
partially overlapping and partially non-overlapping. 

30. A database system comprising a database having a plurality of files, said files 
1 5 having a plurality of fields, said users having personal, positional, and organizational 

attributes, and being divisible into multiple membership sets based upon organizational 
attributes, said database having views visible to said users based upon the personal, 
positional, and organizational attributes thereof. 

31 . The database system of claim 30 wherein the multiple sets of files and fields are 
20 overlapping across organizations. 

32. The database system of claim 30 wherein the multiple sets of files and fields are 
disjoint across organizations. 

33. The database system of claim 30 wherein the multiple sets of users are in 
overlapping organizations. 

25 34. The database system of claim 30 wherein the multiple sets of users are in 
disjoint organizations. 
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35. The database system of claim 30 wherein views visible to a user are determined 
by the user's organizational and positional attributes. 

36. The database system of claim 35 wherein view files are determined by a user's 
organizational attributes. 

5 37. The database system of claim 35 wherein view fields are determined by a user's 
positional attributes. 

38. The database system of claim 35 wherein view files are determined by a user's 
organizational attributes, and view fields are determined by a user's positional 
attributes. 

10 39. A database system comprising a partitionable database of a plurality of separate 
virtual databases, each of said separate virtual databases having a unique database 
owner, and wherein a user can only access files in a virtual database to which the said 
user has access authorization from the database owner. 

40. The database system of claim 39 wherein said separate virtual databases are 
15 disjoint. 

41 . The database system of claim 40 wherein said separate, disjoint virtual 
databases have unique owners. 

42. The database system of claim 41 wherein a user requires authorization from a 
database owner to access the owner's separate, virtual database. 

20 43. The database system of claim 42 wherein a user requires authorization from the 
owner of a file within the separate, virtual database to access the file owner's file. 

44. The database system of claim 43 wherein a user's access authorization to a 
particular file in the virtual database is granted by the file owner's initiation of a 
database call through an associated computer telephony integration (CTI) system. 
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45. The database system of claim 44 wherein the database is a multi-tenant database 
having a plurality of tenants, each tenant being the owner of a separate virtual database, 
at least two of the tenants utilizing a common call center service. 

46. A method of managing a database system having a partitionable database of a 
5 plurality of separate virtual databases, each of said separate virtual databases having a 

unique database owner, said method comprising the owner of a separate virtual 
database granting access authorization to a user, and the user thereafter accessing a file 
in the virtual database to which the said user has been granted access authorization 
from the database owner. 

10 47. The database management method of claim 46 wherein said separate virtual 
databases are disjoint. 

48. The database management method of claim 47 wherein said separate, disjoint 
virtual databases have unique owners. 

49. The database management method of claim 46 wherein a user requires 

15 authorization from the owner of a file within the separate, virtual database to access the 
file owner's file. 

50. The database management method of claim 49 wherein the file owner grants 
access authorization to the file owner's file in the virtual database to a user. 

5 1 . The database management method of claim 50 wherein the file owner's 

20 initiation of a database call through an associated computer telephony integration (CTI) 
system grants access authorization to the file owner's file to a user. 

52. The database management method of claim 5 1 wherein the database is a multi- 
tenant database having a plurality of tenants, each tenant being the owner of a separate 
virtual database, at least two of the tenants utilizing a common call center service. 

25 
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